If any other JavaScript request library than jQuery is being used, the requests need to send the CSRF token as an HTTP header named requesttoken. The token is available in the global variable oc_requesttoken.